MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2
SHA3-384 hash: c07c861cdff9a9e07a372144a5caca7d6b39f3fa3d3c3347f50746fae20e5bd43950eec329129a6d3f3085c32b343a34
SHA1 hash: b4c0a56e1e7737b6a9f860599cf8919305f81337
MD5 hash: 2ded15d14e95b8af3380590974928cb8
humanhash: oscar-beer-mike-butter
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'630'112 bytes
First seen:2022-12-02 05:28:24 UTC
Last seen:2022-12-02 07:52:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4385a52c4954ea622602f131b43369ce (2 x AsyncRAT, 1 x RedLineStealer, 1 x RemcosRAT)
ssdeep 49152:oPFaNgipEfsDAcQrnizxwtBgtMXBypNjvWnD7p:oUyCEfsUc6nbh2N4
Threatray 16'976 similar samples on MalwareBazaar
TLSH T1987522566BA450B2D47007794AB9E737167EFE330B349A4BA248BF9A2D353D24D31383
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0f4e2ccd4f0f8cc (1 x CoinMiner, 1 x Smoke Loader, 1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:copylink.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-17T17:57:59Z
Valid to:2023-02-15T17:57:58Z
Serial number: 04dfae3525fc81202de434a3c89d5879b6e1
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ccbc7347ec96910f79f99ffbac92262f8dd30a16aa6fa4e465a6ce99057bbdf0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_657262301?hash=nARLeXnnMWCTZsOVlNKCu7esmg2bQ97GZzMCVwdBYLT&dl=G43DANZVGAYDSNY:1669934451:IiFzpGuzbe6PE1KFXSKyrPFFIUrScJ8rmm7C4ZHhUd8&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
6
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-12-02 05:34:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff93a344-acc4-4af2-be93-42cc94151ecf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341743/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.30822.29696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Launching a process
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63898d1eec3dbefe491256d5/reports/2eec8b00-65e2-4846-a146-e6fcb1fd4b0f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd1df854-848b-4c12-84cd-6a7aa665de70
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126288
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-02 00:25:40 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
9 of 40 (22.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ytwf2zgnqkinxk35m7xofszpeslxdgjp6kpas3x7gu2erwx3pja._file
Verdict:
malicious
Similar samples:
13fdfb7cb605ccb2cacf3e14906d1954e44d9c25da990d3f5b8e4f1ab052e1cb
LgoogLoader
20bf869fc73b023d7e54dc6a44ff186e938ba99f29798739e16d21fbeb9b6aca
LgoogLoader
23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f
LgoogLoader
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
LgoogLoader
3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba
LgoogLoader
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
LgoogLoader
8e8ff8e03cef056bbb2acb1b567e1925cd4b3df439b4963457ba4825152d5c43
LgoogLoader
ca240b4fd7c8b8dc492d92070641e46fd4dd125a7e9d394d7d1bba7e83cabfca
LgoogLoader
+ 16'966 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221202-f6lk3sgf29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/190de689-c1d8-4ef0-bd5c-08453781ed98
Unpacked files
SH256 hash:
059b3a08bdcd340997c6a2f8cceef3a3acffd7138d2a8fe3f00fd3a1814ca4de
MD5 hash:
77bf51e653d1fcc81062b944796e211c
SHA1 hash:
ba0d51c66f158ebf8bd75b698e9d0021c643482c
Link:
https://www.unpac.me/results/fbccd803-e3f4-43bd-ae52-e04ace8727cf/
SH256 hash:
de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2
MD5 hash:
2ded15d14e95b8af3380590974928cb8
SHA1 hash:
b4c0a56e1e7737b6a9f860599cf8919305f81337
Link:
https://www.unpac.me/results/fbccd803-e3f4-43bd-ae52-e04ace8727cf/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/de2762eb266c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/341743/

Comments